In this article

Sign up for our newsletter

You can manage your privacy choices or opt-out at any time. For additional information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review the Osano Privacy Policy
Share this article

The European Union’s General Data Protection Regulation (GDPR) kicked off what would be a rolling introduction to more data privacy rights and regulations across the globe. While countries and states can pass their own standards to protect their residents, the new and changing policies make it difficult for organizations to keep track of their responsibilities.

CCPA vs. GDPR

We’re going to break down two of the most well-known and pressing regulations, the GDPR and CCPA, or the (California Consumer Privacy Act) to give you a bit more clarity. What you need to know is that the general premise of these regulations is the same - to protect consumers’ right to privacy - but they can differ in their requirements and who is affected.

There are detailed nuances to both, but the following chart should give you a good overview of their key similarities and differences.

What You Need to Know About the General Data Protection Regulation Act

The GDPR is a comprehensive data protection law governed by the European Union that oversees and regulates how organizations and businesses handle the data collection, storage, processing, and sharing of consumer personal data. 

GDPR applies to any entity that collects personal data from EU residents, no matter where the business is located.

The GDPR is widely considered the gold standard of privacy legislation because of its broad framework, its emphasis on individual rights, its strict enforcement (fines can be as steep as 20 million euros); and its strict requirement for transparency.

GDPR Privacy Compliance: The Rights of European Residents

GDPR compliance is all about giving EU residents more control over their personal data. Under this act, residents from the European Union can expect more transparency, accountability, and autonomy related to how personal and sensitive data is collected, processed, and stored by organizations all over the world.

The rights of European residents might not seem like much from the outset, but it has changed the the landscape of consumer data rights in many ways:

  1. Right to be informed: Organizations and entities need to tell individuals in very clear and transparent privacy notices why they're collecting data, what they're using it for, and the legal basis they have to collect it. 

  2. Right of access: If a person has the right to request and receive a copy of their personal data, as well as details about how their data is being used, and what kind of data will be stored.

  3. Right to rectification: A person can make a request to fix or update any information that's wrong or missing.

  4. Right to erasure (right to be forgotten): Under certain circumstances, a person can request that their personal data be deleted entirely, such as when their data is no longer needed for its original purpose; when they withdraw their consent; the data processing does follow privacy compliance law; when legal obligations require it.

  5. Right to restriction of processing: Data subjects can put a temporary restriction on how their personal data is being used in specific situations.  

  6. Right to data portability: An individual can request their personal data in a common format so that there is no technological barrier.

  7. Right to object: A person has the right to opt out of data collection, processing, and storing if the purpose falls under legitimate/public interest, marketing, or research.

  8. Right not be subject to a decision based solely on automated processing: this especially includes profiling, which could have legal repercussions.

Who Must Comply With the GDPR?

  • Any organization, company, or nonprofit that processes the personal data of EU residents.
  • Any organizations outside of the EU that offer goods and services to EU residents.
  • Data controllers and processors
  • Organizations that handle sensitive data (health data, biometric data, etc.)

What You Need to Know About the California Consumer Privacy Act

The CCPA protects the personal information of California residents similar to how the GDPR protects people residing in the EU, although there are key differences between CCPA and GDPR.

Enforced by the California Privacy Protection Agency (CPPA), the CCPA gives state residents more control over their personal information and imposes responsibilities on any business in the world that handles data of California residents and who meets other criteria.

In most cases, businesses that must comply with the CCPA also probably meet eligibility requirements of the CPRA (California Privacy Rights Act).

CCPA Compliance: The Rights of California Residents

Further down the page, we'll show you a side-by-side to help you see the differences between the two regulations. The following rights are including the final two which were added in the wake of Proposition 24, or the CPRA:

  • The right to know: A person has the right to know what data is being collected; what it's being collected for, and the how the organization will process it
  • The right to delete: Under certain circumstances, a data subject has the right to request that an organization delete the personal information that was collected from them
  • The right to opt-out: An individual can ask a business to stop selling and sharing their personal information to third-parties for advertising purposes. 
  • The right to non-discrimination: A person has the right not to be discriminated against for exercising their CCPA rights.
  • The right to correct: a person has a right to request that an organization fix inaccurate personal information that they have about them
  • The right to limit: A person can limit how a business uses or shares their sensitive personal information.

Who Must Comply with the CCPA?

The CCPA requires data compliance from any organization that does business in California and meets at least one of these criteria:

  • Make over $25 million in yearly revenue;
  • Handle the personal information of 100,000 or more people or households in California; or
  • Generate 50% of yearly revenue from the sale of personal information of California residents.

Now that we've briefly outlined these two data protection authorities, lets breakdown the differences and similarities between them:

CCPA and GDPR Data Protection Laws Comparison Chart

 

GDPR

CCPA

Date

Implemented on May 25, 2018

Implemented on January 1, 2020

Affected entities

Affects any organization inside or outside of the EU that offers goods or services to or monitors the behavior of EU subjects.

The CCPA applies to certain organizations inside or outside of California that do business with a California company, has California resident customers, or collects any personal data of a California resident for any purpose. Regulated companies have gross revenue greater than $25M, handles personal data of more than 50,000 consumers for commercial purposes, or derives 50% or more of its annual revenues from selling consumers’ personal data.

Representation

The GDPR requires most companies outside of the EU to designate an EU representative if they don’t have a presence in the EU and process personal data of EU residents.

There is no similar representative requirement.

Fines

Lesser violations result in up to 10 million euros ($10.8M USD) or up to 2% of the firm’s worldwide annual revenue from the previous fiscal year, whichever is higher. More severe violations can be up to 20 million euros ($21.6M USD) or up to 4% of the firm’s worldwide annual revenue from the preceding fiscal year, whichever is higher.

Civil penalties (violations lacking intent) are $2,500 for each violation. Intentional violations are $7,500 each after notice and a 30-day opportunity to remedy.

Security

Requires data controllers and processors to implement satisfactory technical and organizational measures to ensure adequate security of data.

Does not define or impose data security requirements, but it does give consumers the right to take legal action if a data breach occurs.

Opt-out Rights

No right to opt-out of personal data sales, but it does provide consumers the right to opt-out of processing data for marketing purposes and withdraw consent to process personal data.

Organizations must provide a clearly visible option for consumers to opt-out of the sale of their personal data and if they request “Do Not Sell My Personal Information”, the organization cannot ask again for another 12 months.

Rectification Rights

Data subjects have the right to request that an organization corrects any incorrect or incomplete personal data.

No right of rectification.

Age of consent

Age for consent is 16 and parents must consent for children under 16. Organizations must still provide an age appropriate privacy notice to the child and implement increased security measures to protect their personal data.

Age of consent is 13 and parents must consent for children under 16. All provisions in the federal Children’s Online Privacy Protection Act (COPPA) still apply.

Make It Simple: Protect Personal Data and Stay Compliant Through Automation

We only highlighted the most contrasting requirements between the GDPR and the CCPA, but there are other factors that play into how your organization may or may not need to comply. There are also more data privacy regulations on the horizon. Not only will there likely be ongoing modifications to the GDPR and the CCPA, but other countries and states are poised to introduce their own set of standards in the near future. 

This growing web of laws puts organizations in a precarious situation of having to keep track of not only where and with whom they do business but also understanding all of the new and changing privacy legislation across the board. Without a global data privacy regulation that offers consistent regulations, it will continue to be a continuous battle to comply.

Fortunately, organizations can automate consent management, vendor risk monitoring, privacy policy change management, and privacy law changes across the globe - all with only a single line of JavaScript. Osano Products make compliance with data privacy laws simple, while also providing you with a way to monitor your vendors to ensure your supply chain isn’t putting you at risk. From subject rights to GDPR representatives, Osano is here to help you get and stay compliant.

For more detailed information about GDPR, check out our guide. If you'd like to learn more about the CCPA, we have a guide for that too.
Schedule a demo of Osano today

Privacy Policy Checklist

Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.

Download Now
Frame 481285

Matt Davis, CIPM (IAPP)

Matt Davis, CIPM (IAPP)

Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.

Share this article